prometheus-dnssec-exporter/main_test.go

package main

import (
	"crypto/ecdsa"
	"io/ioutil"
	"log"
	"net"
	"testing"
	"time"

	"github.com/miekg/dns"
)

type opts struct {
	signed          time.Time
	expires         time.Time
	rcode           int
	unauthenticated bool
}

func nullLogger() *log.Logger {
	return log.New(ioutil.Discard, "", log.LstdFlags)
}

func runServer(t *testing.T, opts opts) ([]string, func()) {

	if opts.signed.IsZero() {
		opts.signed = time.Now().Add(-time.Hour)
	}

	if opts.expires.IsZero() {
		opts.expires = time.Now().Add(14 * 24 * time.Hour)
	}

	dnskey := &dns.DNSKEY{
		Algorithm: dns.ECDSAP256SHA256,
		Flags:     dns.ZONE,
		Protocol:  3,
	}

	privkey, err := dnskey.Generate(256)
	if err != nil {
		t.Fatalf("couldn't generate private key: %v", err)
	}

	h := dns.NewServeMux()
	h.HandleFunc("example.org.", func(rw dns.ResponseWriter, msg *dns.Msg) {

		q := msg.Question[0]

		soa := &dns.SOA{
			Hdr: dns.RR_Header{
				Name:   q.Name,
				Rrtype: dns.TypeSOA,
				Class:  dns.ClassINET,
				Ttl:    3600,
			},
			Ns:      "ns1.example.org.",
			Mbox:    "test.example.org.",
			Serial:  1,
			Refresh: 14400,
			Retry:   3600,
			Expire:  7200,
			Minttl:  60,
		}

		switch q.Qtype {

		case dns.TypeRRSIG:

			rrHeader := dns.RR_Header{
				Name:   q.Name,
				Rrtype: dns.TypeRRSIG,
				Class:  dns.ClassINET,
				Ttl:    3600,
			}

			answer := &dns.RRSIG{
				Hdr:         rrHeader,
				TypeCovered: dns.TypeSOA,
				Algorithm:   dnskey.Algorithm,
				Labels:      uint8(dns.CountLabel(q.Name)),
				OrigTtl:     3600,
				Expiration:  uint32(opts.expires.Unix()),
				Inception:   uint32(opts.signed.Unix()),
				KeyTag:      dnskey.KeyTag(),
				SignerName:  q.Name,
			}

			if err := answer.Sign(privkey.(*ecdsa.PrivateKey), []dns.RR{soa}); err != nil {
				t.Fatalf("couldn't sign SOA record: %v", err)
			}

			msg.Answer = append(msg.Answer, answer)

		case dns.TypeSOA:

			msg.Answer = append(msg.Answer, soa)

		}

		msg.AuthenticatedData = !opts.unauthenticated
		msg.Rcode = opts.rcode

		rw.WriteMsg(msg)

	})

	ln, err := net.Listen("tcp", "127.0.0.1:0")
	if err != nil {
		t.Fatalf("listen failed: %v", err)
	}

	server := &dns.Server{
		Listener: ln,
		Handler:  h,
	}

	go func() {
		server.ActivateAndServe()
	}()

	done := make(chan bool)

	go func() {
		<-done
		server.Shutdown()
		ln.Close()
	}()

	return []string{ln.Addr().String()}, func() {
		done <- true
	}

}

func TestExpirationOK(t *testing.T) {

	addr, cancel := runServer(t, opts{})
	defer cancel()

	e := NewDNSSECExporter(time.Second, addr, nullLogger())

	exp := e.expiration("example.org", "@", "SOA")

	if exp.Before(time.Now()) {
		t.Fatalf("expected expiration to be in the future, was: %v", exp)
	}

}

func TestExpired(t *testing.T) {

	addr, cancel := runServer(t, opts{
		signed:  time.Now().Add(14 * 24 * time.Hour),
		expires: time.Now().Add(-time.Hour),
	})

	defer cancel()

	e := NewDNSSECExporter(time.Second, addr, nullLogger())

	exp := e.expiration("example.org", "@", "SOA")

	if exp.After(time.Now()) {
		t.Fatalf("expected expiration to be in the past, was: %v", exp)
	}

}

func TestValid(t *testing.T) {

	addr, cancel := runServer(t, opts{
		signed:  time.Now().Add(14 * 24 * time.Hour),
		expires: time.Now().Add(-time.Hour),
	})

	defer cancel()

	e := NewDNSSECExporter(time.Second, addr, nullLogger())

	valid := e.resolve("example.org", "@", "SOA", addr[0])

	if !valid {
		t.Fatal("expected valid result")
	}

}

func TestInvalidError(t *testing.T) {

	addr, cancel := runServer(t, opts{
		rcode: dns.RcodeServerFailure,
	})

	defer cancel()

	e := NewDNSSECExporter(time.Second, addr, nullLogger())

	valid := e.resolve("example.org", "@", "SOA", addr[0])

	if valid {
		t.Fatal("expected invalid result")
	}

}

func TestInvalidUnauthenticated(t *testing.T) {

	addr, cancel := runServer(t, opts{
		unauthenticated: true,
	})

	defer cancel()

	e := NewDNSSECExporter(time.Second, addr, nullLogger())

	valid := e.resolve("example.org", "@", "SOA", addr[0])

	if valid {
		t.Fatal("expected invalid result")
	}

}
Added testing, restructured error handling. 2018-10-05 09:47:11 +00:00			`package main`

			`import (`
			`"crypto/ecdsa"`
			`"io/ioutil"`
			`"log"`
			`"net"`
			`"testing"`
			`"time"`

			`"github.com/miekg/dns"`
			`)`

			`type opts struct {`
Use external resolvers to validate the signatures. 2018-11-10 14:18:26 +00:00			`signed time.Time`
			`expires time.Time`
			`rcode int`
			`unauthenticated bool`
Added testing, restructured error handling. 2018-10-05 09:47:11 +00:00			`}`

			`func nullLogger() *log.Logger {`
			`return log.New(ioutil.Discard, "", log.LstdFlags)`
			`}`

Use external resolvers to validate the signatures. 2018-11-10 14:18:26 +00:00			`func runServer(t *testing.T, opts opts) ([]string, func()) {`
Added testing, restructured error handling. 2018-10-05 09:47:11 +00:00
			`if opts.signed.IsZero() {`
			`opts.signed = time.Now().Add(-time.Hour)`
			`}`

			`if opts.expires.IsZero() {`
			`opts.expires = time.Now().Add(14 * 24 * time.Hour)`
			`}`

			`dnskey := &dns.DNSKEY{`
			`Algorithm: dns.ECDSAP256SHA256,`
			`Flags: dns.ZONE,`
			`Protocol: 3,`
			`}`

			`privkey, err := dnskey.Generate(256)`
			`if err != nil {`
			`t.Fatalf("couldn't generate private key: %v", err)`
			`}`

			`h := dns.NewServeMux()`
			`h.HandleFunc("example.org.", func(rw dns.ResponseWriter, msg *dns.Msg) {`

			`q := msg.Question[0]`

			`soa := &dns.SOA{`
			`Hdr: dns.RR_Header{`
			`Name: q.Name,`
			`Rrtype: dns.TypeSOA,`
			`Class: dns.ClassINET,`
			`Ttl: 3600,`
			`},`
			`Ns: "ns1.example.org.",`
			`Mbox: "test.example.org.",`
			`Serial: 1,`
			`Refresh: 14400,`
			`Retry: 3600,`
			`Expire: 7200,`
			`Minttl: 60,`
			`}`

			`switch q.Qtype {`

			`case dns.TypeRRSIG:`

			`rrHeader := dns.RR_Header{`
			`Name: q.Name,`
			`Rrtype: dns.TypeRRSIG,`
			`Class: dns.ClassINET,`
			`Ttl: 3600,`
			`}`

			`answer := &dns.RRSIG{`
			`Hdr: rrHeader,`
			`TypeCovered: dns.TypeSOA,`
			`Algorithm: dnskey.Algorithm,`
			`Labels: uint8(dns.CountLabel(q.Name)),`
			`OrigTtl: 3600,`
			`Expiration: uint32(opts.expires.Unix()),`
			`Inception: uint32(opts.signed.Unix()),`
			`KeyTag: dnskey.KeyTag(),`
			`SignerName: q.Name,`
			`}`

			`if err := answer.Sign(privkey.(*ecdsa.PrivateKey), []dns.RR{soa}); err != nil {`
			`t.Fatalf("couldn't sign SOA record: %v", err)`
			`}`

			`msg.Answer = append(msg.Answer, answer)`

			`case dns.TypeSOA:`

			`msg.Answer = append(msg.Answer, soa)`

			`}`

Use external resolvers to validate the signatures. 2018-11-10 14:18:26 +00:00			`msg.AuthenticatedData = !opts.unauthenticated`
			`msg.Rcode = opts.rcode`

Added testing, restructured error handling. 2018-10-05 09:47:11 +00:00			`rw.WriteMsg(msg)`

			`})`

			`ln, err := net.Listen("tcp", "127.0.0.1:0")`
			`if err != nil {`
			`t.Fatalf("listen failed: %v", err)`
			`}`

			`server := &dns.Server{`
			`Listener: ln,`
			`Handler: h,`
			`}`

			`go func() {`
			`server.ActivateAndServe()`
			`}()`

			`done := make(chan bool)`

			`go func() {`
			`<-done`
			`server.Shutdown()`
			`ln.Close()`
			`}()`

Use external resolvers to validate the signatures. 2018-11-10 14:18:26 +00:00			`return []string{ln.Addr().String()}, func() {`
Added testing, restructured error handling. 2018-10-05 09:47:11 +00:00			`done <- true`
			`}`

			`}`

Use external resolvers to validate the signatures. 2018-11-10 14:18:26 +00:00			`func TestExpirationOK(t *testing.T) {`
Added testing, restructured error handling. 2018-10-05 09:47:11 +00:00
			`addr, cancel := runServer(t, opts{})`
			`defer cancel()`

The DNS client instance and the network protocol is really an implementation detail, so hide it. 2018-10-05 10:58:14 +00:00			`e := NewDNSSECExporter(time.Second, addr, nullLogger())`
Added testing, restructured error handling. 2018-10-05 09:47:11 +00:00
Use external resolvers to validate the signatures. 2018-11-10 14:18:26 +00:00			`exp := e.expiration("example.org", "@", "SOA")`
Added testing, restructured error handling. 2018-10-05 09:47:11 +00:00
			`if exp.Before(time.Now()) {`
			`t.Fatalf("expected expiration to be in the future, was: %v", exp)`
			`}`

			`}`

Use external resolvers to validate the signatures. 2018-11-10 14:18:26 +00:00			`func TestExpired(t *testing.T) {`
Added testing, restructured error handling. 2018-10-05 09:47:11 +00:00
			`addr, cancel := runServer(t, opts{`
			`signed: time.Now().Add(14 * 24 * time.Hour),`
			`expires: time.Now().Add(-time.Hour),`
			`})`

			`defer cancel()`

The DNS client instance and the network protocol is really an implementation detail, so hide it. 2018-10-05 10:58:14 +00:00			`e := NewDNSSECExporter(time.Second, addr, nullLogger())`
Added testing, restructured error handling. 2018-10-05 09:47:11 +00:00
Use external resolvers to validate the signatures. 2018-11-10 14:18:26 +00:00			`exp := e.expiration("example.org", "@", "SOA")`
Added testing, restructured error handling. 2018-10-05 09:47:11 +00:00
			`if exp.After(time.Now()) {`
			`t.Fatalf("expected expiration to be in the past, was: %v", exp)`
			`}`

			`}`

Use external resolvers to validate the signatures. 2018-11-10 14:18:26 +00:00			`func TestValid(t *testing.T) {`
Added testing, restructured error handling. 2018-10-05 09:47:11 +00:00
Use external resolvers to validate the signatures. 2018-11-10 14:18:26 +00:00			`addr, cancel := runServer(t, opts{`
			`signed: time.Now().Add(14 * 24 * time.Hour),`
			`expires: time.Now().Add(-time.Hour),`
			`})`

			`defer cancel()`

			`e := NewDNSSECExporter(time.Second, addr, nullLogger())`

			`valid := e.resolve("example.org", "@", "SOA", addr[0])`

			`if !valid {`
			`t.Fatal("expected valid result")`
Added testing, restructured error handling. 2018-10-05 09:47:11 +00:00			`}`

Use external resolvers to validate the signatures. 2018-11-10 14:18:26 +00:00			`}`

			`func TestInvalidError(t *testing.T) {`

Added testing, restructured error handling. 2018-10-05 09:47:11 +00:00			`addr, cancel := runServer(t, opts{`
Use external resolvers to validate the signatures. 2018-11-10 14:18:26 +00:00			`rcode: dns.RcodeServerFailure,`
Added testing, restructured error handling. 2018-10-05 09:47:11 +00:00			`})`

			`defer cancel()`

The DNS client instance and the network protocol is really an implementation detail, so hide it. 2018-10-05 10:58:14 +00:00			`e := NewDNSSECExporter(time.Second, addr, nullLogger())`
Added testing, restructured error handling. 2018-10-05 09:47:11 +00:00
Use external resolvers to validate the signatures. 2018-11-10 14:18:26 +00:00			`valid := e.resolve("example.org", "@", "SOA", addr[0])`
Added testing, restructured error handling. 2018-10-05 09:47:11 +00:00
			`if valid {`
Use external resolvers to validate the signatures. 2018-11-10 14:18:26 +00:00			`t.Fatal("expected invalid result")`
Added testing, restructured error handling. 2018-10-05 09:47:11 +00:00			`}`

Use external resolvers to validate the signatures. 2018-11-10 14:18:26 +00:00			`}`

			`func TestInvalidUnauthenticated(t *testing.T) {`

			`addr, cancel := runServer(t, opts{`
			`unauthenticated: true,`
			`})`

			`defer cancel()`

			`e := NewDNSSECExporter(time.Second, addr, nullLogger())`

			`valid := e.resolve("example.org", "@", "SOA", addr[0])`

			`if valid {`
			`t.Fatal("expected invalid result")`
Added testing, restructured error handling. 2018-10-05 09:47:11 +00:00			`}`

			`}`